Skip to content

Cybersecurity Insights

CMMC Level 2 Suspended by DOW

Posted in CMMC

The Department of War has announced the immediate suspension of Cybersecurity Maturity Model Certification (CMMC) Phase II requirements, delaying the planned transition to mandatory third-party CMMC Level 2 assessments, which were scheduled to begin on November 10, 2026. The Department stated that Phase I self-assessment requirements remain in effect while it conducts a 60-day review of the CMMC program.
For thousands of companies in the Defense Industrial Base (DIB), the announcement raises an important question:
Does this mean CMMC is going away?
The short answer is no.
Although the Department is pausing Phase II implementation, the cybersecurity requirements that protect Controlled Unclassified Information (CUI) have not disappeared. Defense contractors should view this as an opportunity to improve their cybersecurity, not as a reason to stop preparing.

What Happened?

On July 13, 2026, the Department of War announced that it is suspending the transition to CMMC Phase II, including pending and future milestones requiring third-party CMMC Level 2 assessments. Instead, companies that would have entered Phase II will continue operating under the current Phase I requirements while the Department evaluates potential reforms.
According to the Department, the review is intended to reduce unnecessary compliance burdens, particularly for small and mid-sized defense contractors, while maintaining strong cybersecurity across the Defense Industrial Base. A newly established CMMC Reform Task Force will evaluate the program and provide recommendations within 60 days.

Why Did the Department Pause Phase II?

The Department cited growing concerns that the cost and complexity of mandatory third-party assessments were discouraging innovative companies from participating in defense contracts.
Many contractors reported spending hundreds of thousands of dollars preparing for certification while also facing long waits to schedule assessments because of limited assessor availability. Industry groups warned that these challenges were shrinking the defense supplier base and slowing acquisition efforts.
The suspension is intended to provide time to evaluate ways to preserve cybersecurity while making compliance more practical for defense contractors.

What Has Not Changed?

While the headlines focus on the suspension, several important requirements remain in place.
Most importantly, Phase I self-assessment requirements continue to apply where required by contract. The Department has not eliminated the requirement to protect Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). It has also not announced that NIST SP 800-171 is no longer expected for contractors handling CUI.
In other words, cybersecurity expectations have not disappeared. Only the planned timeline for mandatory third-party certification has changed.

What Does This Mean for Defense Contractors?

For many contractors, this announcement provides welcome breathing room. However, it should not be interpreted as an opportunity to delay cybersecurity improvements.
Think of it like training for a marathon that has been postponed. The race date may change, but stopping your training altogether only makes the eventual race more difficult.
Companies that continue to improve their cybersecurity today will be in a much stronger position, regardless of how the Department ultimately revises the program.
Businesses that stop preparing may find themselves rushing once new implementation guidance is released.

Why NIST 800-171 Still Matters

Even with the Phase II suspension, NIST SP 800-171 remains one of the most important cybersecurity standards for companies that process, store, or transmit Controlled Unclassified Information.
The 110 security requirements within NIST 800-171 represent proven safeguards designed to protect sensitive government information from increasingly sophisticated cyber threats.
Implementing these controls is not simply about compliance. It improves security by strengthening identity management, protecting sensitive data, reducing ransomware risk, improving monitoring capabilities, and enhancing incident response readiness.
Many companies discover that the operational benefits of implementing NIST 800-171 extend well beyond government contracting.

Should Companies Continue Preparing?

For most defense contractors, the answer is yes.
Cybersecurity threats have not paused simply because regulatory timelines have changed.
Ransomware groups continue targeting manufacturers, aerospace companies, engineering firms, research organizations, and defense suppliers. Foreign nation-state actors continue seeking access to intellectual property and defense-related information.
The companies that continue investing in cybersecurity today will be better prepared for future regulatory requirements and significantly better protected against real-world cyber threats.
Preparation also reduces the stress and expense associated with last-minute compliance efforts.

What Businesses Should Do Next

Rather than waiting for the Department’s review results, contractors should use this opportunity to strengthen their cybersecurity foundation.
Review your current NIST 800-171 implementation, identify security gaps, update your System Security Plan (SSP), improve your Plan of Action and Milestones (POA&M), validate technical controls, and ensure your security documentation accurately reflects current practices.
If your business has not recently performed a cybersecurity assessment, now is an excellent time to establish a realistic baseline before future CMMC requirements are finalized.

Frequently Asked Questions

Has CMMC been canceled?

No. The Department has suspended the implementation of Phase II requirements, but the CMMC program has not been eliminated. A formal review is underway, and additional guidance is expected after that process concludes.

Are third-party CMMC assessments still required?

Not at this time for the paused Phase II implementation. The Department has temporarily suspended the planned transition to mandatory third-party assessments while reviewing the program.

Do contractors still need to comply with NIST 800-171?

Yes. Contractors handling Controlled Unclassified Information should continue implementing and maintaining NIST SP 800-171 security controls. The suspension does not remove the need to protect sensitive government information.

Are Phase I CMMC requirements still active?

Yes. The Department has confirmed that Phase I self-assessment requirements remain in effect.

Should companies stop preparing for CMMC?

No. Continuing to improve cybersecurity and prepare for future CMMC requirements will reduce both business risk and future compliance costs.

When will the Department announce its next decision?

The Department has stated that a newly formed task force will conduct a 60-day review and provide recommendations regarding the future direction of the CMMC program.

Final Thoughts

The suspension of CMMC Phase II is an important policy change, but it should not be mistaken for the end of cybersecurity requirements for defense contractors.
The Department has made it clear that protecting sensitive government information remains a priority. The current pause is intended to review how compliance is implemented—not whether cybersecurity is necessary.
For defense contractors, the smartest approach is to use this additional time to strengthen security, improve documentation, and continue aligning with NIST SP 800-171. Companies that stay prepared today will be far better positioned for whatever the next phase of CMMC looks like tomorrow.

Schedule a Call

Name*
Please let us know what's on your mind. Have a question for us? Ask away.